1:51 p.m.
could someone point me in the direction of getting ntp to work with selinux
on fedora C2? does anyone have experience with this? is it supposed to
just work with the default file_contexts? any help is appreciated...thanks
j
..
10:01 p.m.
On Thu, 17 Jun 2004 04:51, "Jason Hooper" <jhooper(a)tlcontact.com> wrote:
could someone point me in the direction of getting ntp to work with
selinux
on fedora C2? does anyone have experience with this? is it supposed to
just work with the default file_contexts? any help is
appreciated...thanks
For the typical operation (synchronising from a master server somewhere on the
net) it is supposed to just work, it does for me. I have a rawhide machine
running the strict SE Linux policy synchronising with an NTP server right
now, and I don't believe that FC2 differs from the current rawhide in any
significant way related to NTP.
Does ntpd support directly interfacing with GPS hardware or other accurate
time sources? If so some extra policy will be needed to support this.
If you see any AVC messages related to ntpd then please post them to this
list.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
9:03 a.m.
Yeah it seems like it should just work...yet it doesn't...wierd. I have
two machines trying to sync ( well, three, but the third one works and is
not selinux )
I get this avc on both :
Machine1 :
Jan 3 02:11:03 doh1 kernel: audit(1041581463.810:0): avc: denied { write
} for pid=1694 exe=/usr/sbin/ntpdate path=/ dev=hda3 ino=3367
scontext=root:system_r:ntpd_t tcontext=system_u:object_r:root_t
tclass=chr_file
Machine2 :
Jun 17 06:11:33 doh2 kernel: audit(1087470693.719:0): avc: denied { write
} for pid=2335 exe=/usr/sbin/ntpdate path=/ dev=hda2 ino=5060
scontext=root:system_r:ntpd_t tcontext=system_u:object_r:root_t
tclass=chr_file
Machine2 has an ntpd.te file while machine1 does not. Does that matter in
this case? I can send it if its needed.
Thanks again for the help
..
-----Original Message-----
From: Russell Coker [mailto:russell@coker.com.au]
Sent: Wednesday, June 16, 2004 10:01 PM
To: fedora-selinux-list(a)redhat.com
Cc: Jason Hooper
Subject: Re: ntp
On Thu, 17 Jun 2004 04:51, "Jason Hooper" <jhooper(a)tlcontact.com> wrote:
could someone point me in the direction of getting ntp to work with
selinux
on fedora C2? does anyone have experience with this? is it
supposed
to
just work with the default file_contexts? any help is
appreciated...thanks
For the typical operation (synchronising from a master server somewhere on
the
net) it is supposed to just work, it does for me. I have a rawhide machine
running the strict SE Linux policy synchronising with an NTP server right
now, and I don't believe that FC2 differs from the current rawhide in any
significant way related to NTP.
Does ntpd support directly interfacing with GPS hardware or other accurate
time sources? If so some extra policy will be needed to support this.
If you see any AVC messages related to ntpd then please post them to this
list.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
9:09 a.m.
On Thu, 2004-06-17 at 10:03, Jason Hooper wrote:
Jan 3 02:11:03 doh1 kernel: audit(1041581463.810:0): avc: denied {
write
} for pid=1694 exe=/usr/sbin/ntpdate path=/ dev=hda3 ino=3367
scontext=root:system_r:ntpd_t tcontext=system_u:object_r:root_t
tclass=chr_file
Mismatch between your kernel and policy. RedHat released a kernel
update for FC2 without updating the policy accordingly. If you update
to selinux-policy-strict in the devel tree, you should be ok. But note
that this also requires updating SysVinit, libselinux, and possibly
other components as the policy layout has changed completely in the
devel tree.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency
11:27 p.m.
On Fri, 18 Jun 2004 00:03, "Jason Hooper" <jhooper(a)tlcontact.com> wrote:
Yeah it seems like it should just work...yet it doesn't...wierd.
I have
two machines trying to sync ( well, three, but the third one works and is
not selinux )
I get this avc on both :
Machine1 :
Jan 3 02:11:03 doh1 kernel: audit(1041581463.810:0): avc: denied { write
} for pid=1694 exe=/usr/sbin/ntpdate path=/ dev=hda3 ino=3367
scontext=root:system_r:ntpd_t tcontext=system_u:object_r:root_t
tclass=chr_file
Machine2 has an ntpd.te file while machine1 does not. Does that matter in
this case? I can send it if its needed.
To be pedantic, you would not have a domain of "ntpd_t" unless there was
ntpd.te installed. Machine1 may have installed a binary policy, or the
source policy may have been changed, but ntpd.te was certainly used.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
7300
days inactive
7302
days old
selinux@lists.fedoraproject.org
4 comments
3 participants
participants (3)
-
Jason Hooper -
Russell Coker -
Stephen Smalley